Banks to phase out use of OTP for digital tokens, Latest Singapore News - The New Paper

Banks to phase out use of OTP for digital tokens

Bank customers in Singapore who use digital tokens will soon be unable to use one-time passwords (OTPs) to log into their bank accounts.

The move was announced by the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) in a joint news release on July 9, as part of efforts to better protect customers against phishing.

Major retail banks in Singapore will phase out the use of OTPs for account login for customers who are digital token users within the next three months.

These include the three local banks: DBS Bank, OCBC Bank and UOB.

Customers who are using physical tokens will not be affected. But the authorities are urging users of physical tokens to switch to digital tokens.

Digital tokens in highly secure banking apps generate push notifications seeking banking users’ approval – in a process known as second-factor authentication – before an online transaction goes through.

Scammers need to steal users’ phones to remotely execute any transaction when digital tokens are set up.

In contrast, OTPs can be easily hijacked by a scammer – either via social engineering tactics or intercepted through spyware in a phone – to execute an unauthorised remote transaction.

Therefore, OTPs are not effective against phishing attacks.

“Customers who have not activated their digital tokens are strongly encouraged to do so, to lower the risk of having their credentials phished,” said MAS and ABS in the joint statement.

Additionally, banking apps are equipped with anti-malware capabilities, which will block any access to the app when malware is detected on the device.

Phishing scams were among the top five scam types here in 2023, with victims losing at least $14.2 million in total, according to annual police figures.

The use of OTP was introduced in the 2000s as a multi-factor authentication option to boost online security.

However, MAS and ABS noted that technological developments and more sophisticated social engineering tactics, such as setting up fake bank websites that closely resemble the real ones, have since enabled scammers to more easily phish for customers’ OTPs.

“This latest measure will strengthen the authentication process, making it harder for scammers to fraudulently access a customer’s account and funds without the customer’s explicit authorisation using his mobile device,” they said.

Mrs Ong-Ang Ai Boon, director of ABS, said: “While they may give rise to some inconvenience, such measures are necessary to help prevent scams and protect customers.”

MAS’ assistant managing director (policy, payments and financial crime) Loo Siew Yee added that the authority “continues to work closely with banks to protect consumers by leaning hard against digital banking scams”.

“This latest measure will complement good cyber hygiene practices that customers must continue to practise, such as safeguarding their banking credentials,” she said.

Citibank, meanwhile, said it has phased out SMS OTPs in place of authentication via digital tokens for customers enrolled to the latter since 2023.